AnsweredAssumed Answered

Extending the Permission Service to allow permissions based on aspects

Question asked by vamirr on Jul 24, 2015
Latest reply on Jul 28, 2015 by vamirr
I would like to be able to assign permissions based on aspects.

Use case:
Our Alfresco deployment uses External Authentication for logging in. Our external authentication method allows users to log in by login/password or using a two factor method involving a Common Access Card.
The external authentication system sets an HTTP header variable that identifies which method the user used to log in.  An Alfresco extension sets an aspect attribute on the user's person node corresponding to their method of login.
Our Alfresco deployment houses a subset of documents that, by policy, should only be seen/accessed by users who have logged in via the two factor method.  These sensitive documents are marked as such using an aspect.
Permission to documents needs to be determined based on the whether the user has permission to the document through their site access, the user's authentication method and the document's sensitive.

Looking at some of the Alfresco documentation on the permission service (, it appears that this is what I need to extend/modify in order to accomplish what I want. Note that the referenced page says that the permission service is responsible for 'Determining if the current, authenticated user has permission to a node'.

Outside of defining/modifying permission definitions, there's not a lot of information or examples on how to go about extending the permission service.  What classes of the permission service perform the action of determining whether a user has permission to a node. What is the best way to go about extending it to look at whether the user's aspect indicates they have authenticated via two-factor and whether the current document requires it for access.